When Web Sockets API says that events should be queued for async dispatch, it means something
different. We should keep this in mind when dealing with other HTML5-related specs.

The model for HTML5 is that code running in response to network events (e.g. WebSocket or
XMLHttpRequest algorithms) runs in a separate thread of execution, and thus needs to post
async events as its only way to communicate with client code. As long as network events are
queued themselves (as they are in WebKit), there is no need to queue JS events for async
dispatch.

I couldn't make a reliable test for this. Once the test from bug 32299 is landed, it
will provide partial coverage, as I was frequently seeing the assertion failure with it.

platform/network/SocketStreamHandleBase.cpp: (WebCore::SocketStreamHandleBase::send):
It's not an error if zero if returned from platformSend() - it just means that nothing could
be pushed down to the network layer, and all data was queued for later.

platform/network/cf/SocketStreamHandleCFNet.cpp:
(WebCore::SocketStreamHandle::readStreamCallback): This will no longer happen with SocketStream,
but a client can potentially destroy the handle from any callback, so we need to check that
this didn't happen.
(WebCore::SocketStreamHandle::writeStreamCallback): Ditto.

JavaScriptCore: ​https://bugs.webkit.org/show_bug.cgi?id=32228
Make destruction of ropes non-recursive to prevent stack exhaustion.
Also, pass a UString& into initializeFiber rather than a Ustring::Rep*,
since the Rep is not being ref counted this could result in usage of a
Rep with refcount zero (where the Rep comes from a temporary UString
returned from a function).

removed the reference to forgetting to set environment variables as a common source of errors
on Windows. This is because this patch would make it unnecessary for the user to set these
variables manually.

This is a fairly disruptive change that refactors how we build
commands. Instead of using a landing sequence, we can now assemble a
sequence of steps directly. We still use the landing sequence in the
interim, but this will be removed soon.

startDelayUpdateScrollInfo calls a function that can end up calling
startDelayUpdateScrollInfo again. However, it's static state is
inconsistent when this happens leading to an assertion failure (or
probably a memory leak if assertions are off).

startDelayUpdateScrollInfo calls a function that can end up calling
startDelayUpdateScrollInfo again. However, it's static state is
inconsistent when this happens leading to an assertion failure (or
probably a memory leak if assertions are off).

<rdar://problem/7295070> WebKit video fullscreen keeps playing after closing the window

Fix a leak of the QTMovieView when exiting fullscreen video, and remove the
old workaround.

WebView/WebVideoFullscreenController.mm:
(-[WebVideoFullscreenController windowDidLoad]): Set the movie view as the contentView directly.
(-[WebVideoFullscreenController setMediaElement:WebCore::]): Cast the contentView to a movie view.
(-[WebVideoFullscreenController windowDidExitFullscreen]): Remove the old workaround.

(WTF::ThreadVerifier::ThreadVerifier): New Debug-only class to verify that ref/deref of RefCounted is done on the same thread.
(WTF::ThreadVerifier::activate): Activates checks. Called when ref count becomes above 2.
(WTF::ThreadVerifier::deactivate): Deactivates checks. Called when ref count drops below 2.
(WTF::ThreadVerifier::disableThreadVerification): used on objects that should not be checked (StringImpl etc)
(WTF::ThreadVerifier::verifyThread):

This recently-introduced regression exposed the fact that
RenderTableCell did not override offsetFromContainer() to adjust for
the fact that table cells’ coordinates are relative to the table
section, not the table row. With this fixed, RenderTableCell no longer
needs to override mapLocalToContainer() and mapAbsoluteToLocalPoint(),
since the base class implementations of those use offsetFromContainer().

​https://bugs.webkit.org/show_bug.cgi?id=32152
Update the ResourceRequest::RequestType. This previously
was specific to Chromium. Moved into ResourceRequestBase, enabling
more specificity about the type (which is otherwise only known to the
loader), and also making this information available to all platforms.
Any platform with a network layer which can utilize this information
may want to use it for prioritization.

(DOMHTMLInputElement::isTextField):
Split a two-clause assertion into two separate assertions.
(DOMHTMLInputElement::rectOnScreen):
Added the two assertions here that all other functions in this group shared.
(DOMHTMLInputElement::selectedRange):
Split a two-clause assertion into two separate assertions.
(DOMHTMLInputElement::setAutofilled):
Split a two-clause assertion into two separate assertions.
(DOMHTMLInputElement::isAutofilled):
Split a two-clause assertion into two separate assertions.

This change fixes (partially) the accesskey issue by decoupling the
code for handling accesskeys and system keys. Because on Mac,
the modifiers of accesskeys are ctrl+alt, which are not marked as
system keys.
In order to fully fix this issue, some changes in Chromium code is
also required.

These two tests assumed wrong length encoding in frame: it parsed
length from bytes with 8th bit on. But spec says length is encoded
as a series of 7-bit bytes stored in octests with the 8th bit on
*but the last byte*.
These tests encodes a frame that has 129 length, so it must be
\x81\0x01 instead of \x81\0x81.

html/HTMLInputElement.cpp:
(WebCore::HTMLInputElement::rangeUnderflow): Unify the code for NUMBER and RANGE.
(WebCore::HTMLInputElement::rangeOverflow): Unify the code for NUMBER and RANGE.
(WebCore::HTMLInputElement::minimum): Renamed from rangeMinimum(), and support for NUMBER.
(WebCore::HTMLInputElement::maximum): Renamed from rangeMaximum(), and support for NUMBER.
(WebCore::HTMLInputElement::stepBase):
(WebCore::HTMLInputElement::stepMismatch): Use stepBase().
(WebCore::HTMLInputElement::applyStepForNumberOrRange):
(WebCore::HTMLInputElement::stepUp):
(WebCore::HTMLInputElement::stepDown):
(WebCore::HTMLInputElement::formStringFromDouble):

A patch for Chromium to restrict the scope of the Gmail focus fix,
where we set the Selection to 0,0 for content-editable fields and
also make sure we set the selection end-state for find to select the
text found (when not focusing a link we found).
WebKit bug: ​https://bugs.webkit.org/show_bug.cgi?id=32248

The counter that WebView used to keep track of the number of enclosed WebHTMLViews using
accelerated compositing was hard to manage, and maintained incorrectly in a number of cases.
This caused one compositing test make DumpRenderTree think that all subsequent tests
were compositing too.

Replace this counter with notifications, which are only fired if a client (DRT) requests them. The
notification informs the client that a WebHTMLView entered compositing mode (or an already-
compositing WebHTML was added); it does not say when a view becomes uncomposited, or all
compositing subviews were removed, since this is tricky to get right.

Change -[WebView _isUsingAcceleratedCompositing] to manually walk the frames, and
return YES if any document view is composited.

<rdar://problem/7443417> - Closing a window opened with "New windows open with: Same Page" results in crash in ::~HistoryItem

Reviewed by Sam Weinig.

The HistoryItem copy constructor has one very specific use case - to support the feature of a WebView copying another WebView's
BackForwardList. That constructor wasn't initializing its m_document pointer, leading to this crash in the destructor.

history/HistoryItem.cpp:

(WebCore::HistoryItem::~HistoryItem): Change the setDocument(0) to an ASSERT that the document is already 0. A HistoryItem cannot

outlive its Document and Documents will always clear the back-pointer in their ::detach() method.

(WebCore::HistoryItem::HistoryItem): Missed the m_document initializer in the copy constructor. Also remove an invalid assertion

about the original items m_cachedPage object (which is irrelevant to the copy).

Fix zero division bugs in SVGPaintServerPattern::setup() that occurred
if the tile of a pattern was bigger than the pattern and the pattern
size was < 0.5, and if the attribute overflow was set to visible.

If the tile of a pattern is bigger than the pattern and the
pattern size is < 0.5, the SVGPaintServer produced a division
by zero. This also only happens, if the attribute overflow is
set to visible.
This is a test with a pattern size of 0.1 and a tile size of 1.

Instead of caching the block selection gaps’ bounds in the RenderView at setSelection()
time, cache them in each RenderLayer at paint time. This prevents the cache from getting
stale due to layout changes and overflow scrolling.

Expose 'alt' attribute from images as accessible name.
Expose the 'title' core HTML attribute as accessible description.
This is a modified version of the original fix submitted by Mario Sanchez Prada,
adjusted so that it doesn't impact other platforms.

By not propagating the resolved font family in FontCacheQt and
only concidering the font description we ended up passing the
generic font families to Qt directly. Since most systems don't
have a mapping for these font families we ended up using the
default font in most cases.

Make all implementations of getOwnPropertyDescriptor that have
cross domain restrictions simply fail immediately on cross domain
access, rather than trying to mimic the behaviour of normal
property access.

condition context (i.e. in an if statement or loop condition), we
used to produce a value, and then separately jump based on its
truthiness. Now we pass the false and true targets in, and let the
logical operators generate jumps directly. This helps in four
ways:

a) Individual clauses of a short-circuit logical operator can now
jump directly to the then or else clause of an if statement (or to
the top or exit of a loop) instead of jumping to a jump.

b) It used to be that jump fusion with the condition of the first
clause of a logical operator was inhibited, because the register
was ref'd to be used later, in the actual condition jump; this no
longer happens since a jump straight to the final target is
generated directly.

c) It used to be that jump fusion with the condition of the second
clause of a logical operator was inhibited, because there was a
jump target right after the second clause and before the actual
condition jump. But now it's no longer necessary for the first
clause to jump there so jump fusion is not blocked.

platform/network/cf/SocketStreamHandleCFNet.cpp:
(WebCore::SocketStreamHandle::readStreamCallback): Call platformClose() to unschedule both
streams, guaranteeing that there will be no callbacks after SocketStreamHandle is destroyed.
(WebCore::SocketStreamHandle::writeStreamCallback): Edited a comment a bit.

Disabled a test because it puts the WebView into compositing mode,
which remains in effect for all subsequent repaint tests, causing them
to fail because DumpRenderTree always forces a full repaint when
generating the image of a WebView that is in compositing mode.

We need to move update-webkit out of SCM.py because SCM isn't supposed to know
that WebKit exists. The proper place for the knowledge of the existence of
update-webkit is in WebKitPort because some ports have specialized update
scripts (analogous to build-webkit).